ASA interview questions and answers 
 
Question 1. What are the ASA security Levels? 
 
Answer: In ASA security levels are nothing but the interfaces of firewalls. In the ASA 
firewall, we have 0 -100 security levels. The security level inside is 100 means it is more 
trusted. The security level on the outside interface is 0 means we can not trust because it is  the untrusted mode.
 
Question 2. What is the default session timeout for TCP? 
Answer: 60minutes 
 
Question 3. What is layer2 Firewall 
 
Answer: Transparent firewalls can act as a layer 2 device. Transparent firewalls can be 
easily configured on existing networks. In transparent firewall layer 3 traffic, we can easily 
pass from higher security levels to the lower security levels without any access-list 
configuration. 
 
Question 4. How stateful Inspection in firewall works. 
Answer: Stateful firewalls have state tables or connection tables. In-state tables we can 
keep track of all active connections. Stateful firewalls have dynamic state tables which can 
change dynamically on every state of each connection. Stateful Firewall first inspects the 
state table and then the policies. 
 
Question 5. If we have the same security levels on both the side can we connect? 
 
Answer: We need to use one command for communication. Same-security-traffic permit 
inter-interface 
 
Question 6. What kind of information does the firewall maintain in Stateful 
Inspection? 
Answer: Stateful Table maintains the following type of information 
Source Ip address 
Destination Ip address 
IP protocol TCP & UDP 
IP protocol information we have which are nothing but TCP/UDP port numbers, TCP 
sequence number & TCP flags 
Question 7. Explain the packet flow in ASA? 
Answer:When we receive a packet at the ingress interface it will check the existing entry in the state 
table. If it matches then the protocol inspection is going to take place on that packet. 
-SYN packet or UDP packet. 
Then it will send that packet for ACL check. 
If the packet is allowed by ACL then it will be verified by translation rule, then the protocol 
inspection on the packet. 
Ip header is translated through nat translation rule by egress interface. 
Once the packet is translated through the egress interface then it will perform route lookup. 
If we get the route that specifies the egress interface then the layer-2 header of the packet 
is re-written and then packet sent out of the egress interface. 
 
Question 8. What are the timeouts for TCP sessions, UDP sessions, and ICMP 
sessions? 
Answer: 
TCP session 60 minutes 
UDP session- 2minutes 
Icmp session- 2sec 
Question 9. Which command will we use to check the connection table? 
Answer: # show conn 
Question 10. Explain the working of ASA at the time of traceroute? 
Answer: When ASA gets traceroute command then ASA does not decrease the TTL value 
because it does not want to give information about the ASA because of security reasons. It 
will share TTL value without any decrement in the TTL value. 
Question 11. What are the configurations we can not configure on ASA? 
Answer: Following configurations we can not perform on ASA 
Loopback (Logical interface)